{ "id": "e12ab270-5e97-4e09-912c-297d23003d4c", "created_at": "2026-04-06T00:12:40.175736Z", "updated_at": "2026-04-12T02:20:54.355835Z", "deleted_at": null, "sha1_hash": "66a685085100af17265e044e7fce5fff44e26bf0", "title": "Diamond Sleet supply chain compromise distributes a modified CyberLink installer | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 695393, "plain_text": "Diamond Sleet supply chain compromise distributes a modified\r\nCyberLink installer | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-11-22 · Archived: 2026-04-05 13:21:52 UTC\r\nMicrosoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond\r\nSleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a software company\r\nthat develops multimedia software products. This malicious file is a legitimate CyberLink application installer that\r\nhas been modified to include malicious code that downloads, decrypts, and loads a second-stage payload. The file,\r\nwhich was signed using a valid certificate issued to CyberLink Corp., is hosted on legitimate update infrastructure\r\nowned by CyberLink and includes checks to limit the time window for execution and evade detection by security\r\nproducts. Thus far, the malicious activity has impacted over 100 devices in multiple countries, including Japan,\r\nTaiwan, Canada, and the United States.\r\nMicrosoft attributes this activity with high confidence to Diamond Sleet, a North Korean threat actor. The second-stage payload observed in this campaign communicates with infrastructure that has been previously compromised\r\nby Diamond Sleet. More recently, Microsoft has observed Diamond Sleet utilizing trojanized open-source and\r\nproprietary software to target organizations in information technology, defense, and media.\r\nTo address the potential risk of further attacks against our customers, Microsoft has taken the following steps to\r\nprotect customers in response to this malicious activity:\r\nMicrosoft has communicated this supply chain compromise to CyberLink \r\nMicrosoft is notifying Microsoft Defender for Endpoint customers that have been targeted or compromised\r\nin this campaign\r\nMicrosoft reported the attack to GitHub, which removed the second-stage payload in accordance with its\r\nAcceptable Use Policies\r\nMicrosoft has added the CyberLink Corp. certificate used to sign the malicious file to its disallowed\r\ncertificate list\r\nMicrosoft Defender for Endpoint detects this activity as Diamond Sleet activity group.\r\nMicrosoft Defender Antivirus detects the malware as Trojan:Win32/LambLoad.\r\nMicrosoft may update this blog as additional insight is gained into the tactics, techniques, and procedures (TTPs)\r\nused by the threat actor in this active and ongoing campaign.\r\nWho is Diamond Sleet?\r\nThe actor that Microsoft tracks as Diamond Sleet (formerly ZINC) is a North Korea-based activity group known to\r\ntarget media, defense, and information technology (IT) industries globally. Diamond Sleet focuses on espionage,\r\ntheft of personal and corporate data, financial gain, and corporate network destruction. Diamond Sleet is known to\r\nuse a variety of custom malware that is exclusive to the group. Recent Diamond Sleet malware is described in\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 1 of 9\n\nMicrosoft’s reporting of the group’s weaponization of open source software and exploitation of N-day\r\nvulnerabilities. Diamond Sleet overlaps with activity tracked by other security companies as Temp.Hermit and\r\nLabyrinth Chollima.\r\nActivity overview\r\nMicrosoft has observed suspicious activity associated with the modified CyberLink installer file as early as October\r\n20, 2023. The malicious file has been seen on over 100 devices in multiple countries, including Japan, Taiwan,\r\nCanada, and the United States. While Microsoft has not yet identified hands-on-keyboard activity carried out after\r\ncompromise via this malware, the group has historically:\r\nExfiltrated sensitive data from victim environments\r\nCompromised software build environments\r\nMoved downstream to additional victims for further exploitation\r\nUsed techniques to establish persistent access to victim environments\r\nDiamond Sleet utilized a legitimate code signing certificate issued to CyberLink Corp. to sign the malicious\r\nexecutable. This certificate has been added to Microsoft’s disallowed certificate list to protect customers from future\r\nmalicious use of the certificate:\r\nSigner: CyberLink Corp. \r\nIssuer: DigiCert SHA2 Assured ID Code Signing CA \r\nSignerHash: 8aa3877ab68ba56dabc2f2802e813dc36678aef4 \r\nCertificateSerialNumber: 0a08d3601636378f0a7d64fd09e4a13b\r\nMicrosoft currently tracks the malicious application and associated payloads as LambLoad.\r\nLambLoad\r\nLambLoad is a weaponized downloader and loader containing malicious code added to a legitimate CyberLink\r\napplication. The primary LambLoad loader/downloader sample Microsoft identified has the SHA-256 hash\r\n166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be.\r\nBefore launching any malicious code, the LambLoad executable ensures that the date and time of the local host\r\nalign with a preconfigured execution period.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 2 of 9\n\nFigure 1. Code for checking date and time of local host\r\nThe loader then targets environments that are not using security software affiliated with FireEye, CrowdStrike, or\r\nTanium by checking for the following process names:\r\ncsfalconservice.exe (CrowdStrike Falcon)\r\nxagt.exe (FireEye agent)\r\ntaniumclient.exe (Tanium EDR solution)\r\nIf these criteria are not met, the executable continues running the CyberLink software and abandons further\r\nexecution of malicious code. Otherwise, the software attempts to contact one of three URLs to download the\r\nsecond-stage payload embedded inside a file masquerading as a PNG file using the static User-Agent ‘Microsoft\r\nInternet Explorer’:\r\nhxxps[:]//i.stack.imgur[.]com/NDTUM.png\r\nhxxps[:]//www.webville[.]net/images/CL202966126.png\r\nhxxps[:]//cldownloader.github[.]io/logo.png\r\nThe PNG file contains an embedded payload inside a fake outer PNG header that is, carved, decrypted, and\r\nlaunched in memory.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 3 of 9\n\nFigure 2. Payload embedded in PNG file\r\nWhen invoked, the in-memory executable attempts to contact the following callbacks for further instruction. Both\r\ndomains are legitimate but have been compromised by Diamond Sleet:\r\nhxxps[:]//mantis.jancom[.]pl/bluemantis/image/addon/addin.php\r\nhxxps[:]//zeduzeventos.busqueabuse[.]com/wp-admin/js/widgets/sub/wids.php\r\nThe crypted contents of the PNG file (SHA-256:\r\n089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d) may be manually carved using the\r\nfollowing command:\r\nTo restore the in-memory payload statically for independent analysis, the following Python script can be used to\r\ndecrypt the carved contents.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 4 of 9\n\nTo crypt and verify:\r\nBoth the fake PNG and decrypted PE payload have been made available on VirusTotal.\r\nRecommendations\r\nMicrosoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations\r\ncard for the deployment status of monitored mitigations.\r\nUse Microsoft Defender Antivirus to protect from this threat. Turn on cloud-delivered protection and\r\nautomatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence\r\nand machine learning to quickly identify and stop new and unknown threats.\r\nEnable network protection to prevent applications or users from accessing malicious domains and other\r\nmalicious content on the internet.\r\nEnable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to\r\ntake immediate action on alerts to resolve breaches, significantly reducing alert volume.\r\nTake immediate action to address malicious activity on the impacted device. If malicious code has been\r\nlaunched, the attacker has likely taken complete control of the device. Immediately isolate the system and\r\nperform a reset of credentials and tokens.\r\nInvestigate the device timeline for indications of lateral movement activities using one of the compromised\r\naccounts. Check for additional tools that attackers might have dropped to enable credential access, lateral\r\nmovement, and other attack activities. Ensure data integrity with hash codes.\r\nTurn on the following attack surface reduction rule: Block executable files from running unless they meet a\r\nprevalence, age, or trusted list criterion.\r\nDetection details\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojan:Win32/LambLoad.A!dha\r\nTrojan:Win32/LambLoad.B!dha\r\nTrojan:Win32/LambLoad.C!dha\r\nTrojan:Win64/LambLoad.D!dha\r\nTrojan:Win64/LambLoad.E!dha\r\nMicrosoft Defender for Endpoint\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 5 of 9\n\nAlerts with the following title in the security center can indicate threat activity on your network:\r\nDiamond Sleet activity group\r\nThe following alert might also indicate threat activity related to this threat. Note, however, that this alert can be also\r\ntriggered by unrelated threat activity.\r\nAn executable loaded an unexpected dll\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information\r\nabout the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the\r\nintelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats\r\nfound in customer environments.\r\nMicrosoft Defender Threat Intelligence\r\nDiamond Sleet\r\nDiamond Sleet supply chain compromise at distributes a modified CyberLink installer\r\nMicrosoft Defender XDR Threat analytics \r\nActor profile: Diamond Sleet\r\nActivity profile: Diamond Sleet supply chain compromise at distributes a modified CyberLink installer\r\nHunting queries\r\nMicrosoft Defender XDR  \r\nMicrosoft Defender XDR (formerly Microsoft 365 Defender) customers can run the following query to find related\r\nactivity in their networks:\r\nlet iocs = dynamic([\"166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be\",\r\n\"089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d\",\r\n\"915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1\"]);\r\nDeviceFileEvents\r\n| where ActionType == \"FileCreated\"\r\n| where SHA256 in (iocs)\r\n| project Timestamp, DeviceName, FileName, FolderPath, SHA256\r\nMicrosoft Defender XDR and Microsoft Sentinel\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 6 of 9\n\nThis query can be used in both Microsoft Defender XDR advanced hunting and Microsoft Sentinel Log Analytics. It\r\nsurfaces devices where the modified CyberLink installer can be found.\r\nDeviceFileCertificateInfo\r\n| where Signer contains \"CyberLink Corp\"\r\n| where CertificateSerialNumber == \"0a08d3601636378f0a7d64fd09e4a13b\"\r\n| where SignerHash == \"8aa3877ab68ba56dabc2f2802e813dc36678aef4\"\r\n| join DeviceFileEvents on SHA1\r\n| distinct DeviceName, FileName, FolderPath, SHA1, SHA256, IsTrusted, IsRootSignerMicrosoft,\r\nSignerHash\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the\r\nTI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nThe following YAMLs contain queries that surface activities related to this attack:\r\nUncommon processes\r\nWindows installer packages\r\nProcess entropy\r\nRare process path\r\nDevice network events with low-count FQDN\r\nIndicators of compromise\r\nThe list below provides IOCs observed during our investigation. We encourage our customers to investigate these\r\nindicators in their environments and implement detections and protections to identify past related activity and\r\nprevent future attacks against their systems.\r\nIndicator Type Description\r\n166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be\r\nSHA-256\r\nTrojanized\r\nCyberLink\r\ninstaller\r\n(LambLoad)\r\n089573b3a1167f387dcdad5e014a5132e998b2c89bff29bcf8b06dd497d4e63d\r\nSHA-256\r\nSecond-stage PNG\r\npayload\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 7 of 9\n\nIndicator Type Description\r\n915c2495e03ff7408f11a2a197f23344004c533ff87db4b807cc937f80c217a1 \r\nSHA-256\r\nDecrypted\r\nPE from\r\nsecond-stage PNG\r\nhxxps[:]//update.cyberlink[.]com/Retail/Promeo/RDZCMSFY1ELY/CyberLink_Pr\r\nomeo_Downloader.exe\r\nURL\r\nCyberLink\r\nupdate URL\r\nused to\r\ndeliver\r\nmalicious\r\ninstaller\r\nhxxps[:]//update.cyberlink[.]com/Retail/Patch/Promeo/DL/RDZCMSFY1ELY/Cyb\r\nerLink_Promeo_Downloader.exe\r\nURL\r\nCyberLink\r\nupdate URL\r\nused to\r\ndeliver\r\nmalicious\r\ninstaller\r\nhxxps[:]//cldownloader.github[.]io/logo.png URL\r\nStage 2\r\nstaging\r\nURL\r\nhxxps[:]//i.stack.imgur[.]com/NDTUM.png URL\r\nStage 2\r\nstaging\r\nURL\r\nhxxps[:]//www.webville[.]net/images/CL202966126.png URL\r\nStage 2\r\nstaging\r\nURL\r\nhxxps[:]//mantis.jancom[.]pl/bluemantis/image/addon/addin.php URL\r\nStage 2\r\ncallback\r\nURL\r\nhxxps[:]//zeduzeventos.busqueabuse[.]com/wpadmin/js/widgets/sub/wids.php URL\r\nStage 2\r\ncallback url\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 8 of 9\n\nSource: https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-in\r\nstaller/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/" ], "report_names": [ "diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-12T02:00:03.565204Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-12T02:00:03.156543Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-12T02:00:03.096111Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Hidden Cobra", "Bluenoroff", "Nickel Academy", "G0032", "Hastati Group", "NewRomanic Cyber Army Team", "Operation AppleJeus", "APT-C-26", "ATK117", "Sapphire Sleet", "Lazarus group", "Group 77", "COVELLITE", "ATK3", "BeagleBoyz", "Operation Troy", "Whois Hacking Team", "NICKEL GLADSTONE", "DEV-0139", "COPERNICIUM", "Black Artemis", "Dark Seoul", "Subgroup: Bluenoroff", "Operation GhostSecret", "Diamond Sleet", "Operation DarkSeoul", "Labyrinth Chollima", "APT 38", "TA404", "Unit 121", "Bureau 121", "APT38", "Stardust Chollima", "G0082", "DEV-1222", "Andariel", "Appleworm", "Citrine Sleet", "Moonstone Sleet" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-12T02:00:04.372061Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-12T02:00:04.689937Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-12T02:00:04.682473Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434360, "ts_updated_at": 1775960454, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66a685085100af17265e044e7fce5fff44e26bf0.pdf", "text": "https://archive.orkl.eu/66a685085100af17265e044e7fce5fff44e26bf0.txt", "img": "https://archive.orkl.eu/66a685085100af17265e044e7fce5fff44e26bf0.jpg" } }